Tesla Model S Hackers Return for Encore Attack

With a handful of self-driving vehicles already on the road, the car is poised to be the next vanguard for high technology. And Tesla's all-electric vehicles are among the most advanced consumer vehicles on the road.

At Black Hat 2016, researchers from Tencent KeenLab demonstrated how to remotely take control of a Tesla Model S. Tesla quickly patched those vulnerabilities, but the Tencent team returned to Black Hat 2017 with a new slew of Tesla attacks.

Roll Back

During their Black Hat session, researchers Ling Liu, Sen Nie, and Yuefeng Du explained last year's Tesla hack in detail. Critical to attacking the Model S was the onboard Wi-Fi and 3G radios.

The Wi-Fi in the Model S tries to reconnect with known networks. That's true—and not great security—for many devices, but all Tesla vehicles are exposed to the same Wi-Fi network during construction, which has an easily guessed password. From there, the team attacked the vehicle's built-in browser, which they admitted was harder than expected because Tesla had already patched known vulnerabilties.

Using some JavaScript magic, the team elevated the privilege to the top (root) level, attacked the old, out-of-date kernel, bypassed a firmware integrity check, and finally installed their own firmware on the gateway system. Once under their control, this critical system was the jumping-off point for the team's work in the Model S. With this level of control, the team could perform dangerous actions even when the car was in motion. Notably, the team also found attack vectors allowing them to gain access through the car's 3G radio.

Tesla Fights Back

The researchers notified Tesla of their findings, and the company released an update package within 10 days that fixed many of the vulnerabilities in the long, complex chain required to gain control of a Model S.

The researchers praised Tesla, which updated the kernel to a much newer version, making it harder to exploit. Tesla also hardened its browser, with multiple ways to protect vehicle systems even when the browser was compromised. The company also added code signing, which ensures that only legitimate code can be accepted as an update and installed by the vehicle.

Hacking Should Be Fun

But this is Black Hat. The team told the audience that shortly after the Tesla rolled out the new kernel, they found a zero-day vulnerability that allowed them to completely bypass the new code-signing mechanism.

Related

In a video demonstration (above), the team showed how they were able to use an app to open the doors and trunks of two vehicles. They even demonstrated how they could engage the brakes while the car was in motion, with a Tesla stopping just short of two of the researchers.

But the researchers said they believed hacking should be fun, which is why their grand finale was a syncronized light show using the Tesla's exterior lighting systems synched to music. Flashing patterns covered the vehicle, withe the lights clearly operating in a way not intended by the manufacturer. The gull-wing doors even opened and bobbed up and down like rhythmic rabbit years. A member of the research team told the audience that making this light show work properly was very difficult, and required all of the vulnerabilities they had found.

Not quite the tired hoody-and-sunglasses approach to hacking, but definitely a memorable attack.